From: "Wu, Hao A" <hao.a.wu@intel.com>
To: "Zeng, Star" <star.zeng@intel.com>,
"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: Laszlo Ersek <lersek@redhat.com>, "Yao, Jiewen" <jiewen.yao@intel.com>
Subject: Re: [PATCH v1 1/2] MdeModulePkg/SmmCorePerfLib: [CVE-2017-5753] Fix bounds check bypass
Date: Fri, 16 Nov 2018 03:45:03 +0000 [thread overview]
Message-ID: <B80AF82E9BFB8E4FBD8C89DA810C6A093C84D39F@SHSMSX104.ccr.corp.intel.com> (raw)
In-Reply-To: <85786150-dbb8-9abe-ce5c-96a9d4f2167a@intel.com>
> -----Original Message-----
> From: Zeng, Star
> Sent: Friday, November 16, 2018 11:14 AM
> To: Wu, Hao A; edk2-devel@lists.01.org
> Cc: Laszlo Ersek; Yao, Jiewen; Zeng, Star
> Subject: Re: [edk2] [PATCH v1 1/2] MdeModulePkg/SmmCorePerfLib: [CVE-
> 2017-5753] Fix bounds check bypass
>
> On 2018/11/16 9:37, Hao Wu wrote:
> > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1194
> >
> > Speculative execution is used by processor to avoid having to wait for
> > data to arrive from memory, or for previous operations to finish, the
> > processor may speculate as to what will be executed.
> >
> > If the speculation is incorrect, the speculatively executed instructions
> > might leave hints such as which memory locations have been brought into
> > cache. Malicious actors can use the bounds check bypass method (code
> > gadgets with controlled external inputs) to infer data values that have
> > been used in speculative operations to reveal secrets which should not
> > otherwise be accessed.
> >
> > This commit will focus on the SMI handler(s) registered within the
> > TBD.
>
> What does the 'TBD' mean here?
Sorry. Patch was generated on the wrong commit, I will send a V2 of the series
to address this.
Best Regards,
Hao Wu
>
> Thanks,
> Star
>
> >
> > Hence, this commit adds a AsmLfence() after the boundary/range checks of
> > 'CommBuffer' to prevent the speculative execution.
> >
> > A more detailed explanation of the purpose of commit is under the
> > 'Bounds check bypass mitigation' section of the below link:
> > https://software.intel.com/security-software-guidance/insights/host-
> firmware-speculative-execution-side-channel-mitigation
> >
> > And the document at:
> > https://software.intel.com/security-software-guidance/api-
> app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-
> vulnerabilities.pdf
> >
> > Cc: Star Zeng <star.zeng@intel.com>
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Laszlo Ersek <lersek@redhat.com>
> > Contributed-under: TianoCore Contribution Agreement 1.1
> > Signed-off-by: Hao Wu <hao.a.wu@intel.com>
> > ---
> >
> MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c
> | 16 +++++++++++++++-
> > 1 file changed, 15 insertions(+), 1 deletion(-)
> >
> > diff --git
> a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib
> .c
> b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib
> .c
> > index cd1f1a5d5f..63c1eea3a2 100644
> > ---
> a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib
> .c
> > +++
> b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib
> .c
> > @@ -16,7 +16,7 @@
> >
> > SmmPerformanceHandlerEx(), SmmPerformanceHandler() will receive
> untrusted input and do basic validation.
> >
> > -Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.<BR>
> > +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
> > This program and the accompanying materials
> > are licensed and made available under the terms and conditions of the BSD
> License
> > which accompanies this distribution. The full text of the license may be
> found at
> > @@ -538,6 +538,13 @@ SmmPerformanceHandlerEx (
> > break;
> > }
> >
> > + //
> > + // The AsmLfence() call here is to ensure the previous range/content
> > + // checks for the CommBuffer have been completed before calling
> > + // CopyMem().
> > + //
> > + AsmLfence ();
> > +
> > GaugeEntryExArray = (GAUGE_DATA_ENTRY_EX *) (mGaugeData + 1);
> >
> > for (Index = 0; Index < NumberOfEntries; Index++) {
> > @@ -650,6 +657,13 @@ SmmPerformanceHandler (
> > break;
> > }
> >
> > + //
> > + // The AsmLfence() call here is to ensure the previous range/content
> > + // checks for the CommBuffer have been completed before calling
> > + // CopyMem().
> > + //
> > + AsmLfence ();
> > +
> > GaugeEntryExArray = (GAUGE_DATA_ENTRY_EX *) (mGaugeData + 1);
> >
> > for (Index = 0; Index < NumberOfEntries; Index++) {
> >
next prev parent reply other threads:[~2018-11-16 3:45 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-16 1:37 [PATCH v1 0/2][UDK branches][CVE-2017-5753] Additional Bounds Check Bypass issue in SMI handlers Hao Wu
2018-11-16 1:37 ` [PATCH v1 1/2] MdeModulePkg/SmmCorePerfLib: [CVE-2017-5753] Fix bounds check bypass Hao Wu
2018-11-16 3:13 ` Zeng, Star
2018-11-16 3:45 ` Wu, Hao A [this message]
2018-11-16 1:37 ` [PATCH v1 2/2] SecurityPkg/OpalPWSupportLib: " Hao Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=B80AF82E9BFB8E4FBD8C89DA810C6A093C84D39F@SHSMSX104.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox